Monday, July 5, 2010

Windows Server 2008 R2 and Windows 7 Group Policy

Advanced Audit Policy
Another security-related feature that you’ll find in Server 2008 R2 and Windows 7 is a much more granular auditing infrastructure. If you look under \Computer Configuration\
Windows Settings\Security Settings\Advanced Audit Policy Configuration, you’ll see 10 different auditing categories that you can now tweak to control exactly which types of events generate security audits on Server 2008 R2 or Windows 7 systems. This new granularity, of course, is exposed only in these newest OS versions, but the fact that it’s manageable via Group Policy is a good thing.


Network List Policies
The last new security policy I’ll discuss gives you the ability to control network lists. By default, when Server 2008 R2, Windows 7, or Vista systems find new networks, whether public wireless networks or corporate LANs, a user is prompted to indicate the type of network it is (e.g., public, domain, home). But by using Network List Policies in Group Policy, you can now preconfigure how particular networks behave and which zone they should be shunted into when a user finds them. You can also control the icons and the names of the networks that appear to the user. The only downside to using this policy area for preconfiguring wireless access points is that you need to know the name of the WAP ahead of time to configure all the various options. But this policy area is still a welcome addition for controlling users who frequently roam between networks.


Name Resolution Policy
The last new policy area, although not strictly a security policy (it’s found under \Computer Configuration\ Windows Settings\Name Resolution Policy in GPE), lets you control DNS Security Extensions (DNSSEC) and Microsoft DirectAccess DNS configurations on a per-DNS domain name basis. For example, you can configure which features of DNSSEC are used for a given client talking to its DNS server, or which DNS and proxy servers a client connecting to your network via Direct-Access will use. Although not used by all shops, this feature is handy to have in
Group Policy if you’re rolling out Direct-Access to your mobile users.

Source of Information : Windows IT Pro June 2010

No comments: